diff --git a/.github/workflows/release-pr.yaml b/.github/workflows/release-pr.yaml
index a227a79cb..0454de0f3 100644
--- a/.github/workflows/release-pr.yaml
+++ b/.github/workflows/release-pr.yaml
@@ -14,6 +14,9 @@ on:
       - release/kong-3.x
   workflow_dispatch: {}
 
+permissions:
+  contents: read
+
 env:
   # Specify this here because these tests rely on ktf to run kind for cluster creation.
   KIND_VERSION: v0.23.0
diff --git a/.github/workflows/release-push.yaml b/.github/workflows/release-push.yaml
index 0bffe4510..19f9eb645 100644
--- a/.github/workflows/release-push.yaml
+++ b/.github/workflows/release-push.yaml
@@ -6,6 +6,9 @@ on:
       - main
       - release/kong-2.x
 
+permissions:
+  contents: read
+
 env:
   # Specify this here because these tests rely on ktf to run kind for cluster creation.
   KIND_VERSION: v0.23.0
@@ -71,6 +74,8 @@ jobs:
     timeout-minutes: 30
     needs: lint-test
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
diff --git a/.tools_versions.yaml b/.tools_versions.yaml
index b5d2a2cf6..e764cc1ec 100644
--- a/.tools_versions.yaml
+++ b/.tools_versions.yaml
@@ -4,3 +4,5 @@ kube-linter: "0.7.1"
 chartsnap: "0.4.3"
 # renovate: datasource=github-releases depName=koalaman/shellcheck
 shellcheck: "0.10.0"
+# renovate: datasource=github-releases depName=rhysd/actionlint
+actionlint: "1.7.7"
diff --git a/Makefile b/Makefile
index bf3966a86..d8bf6c2c7 100644
--- a/Makefile
+++ b/Makefile
@@ -38,11 +38,18 @@ shellcheck: mise
 	@$(MAKE) mise-plugin-install DEP=shellcheck
 	@$(MAKE) mise-install DEP_VER=shellcheck@$(SHELLCHECK_VERSION)
 
+ACTIONLINT_VERSION = $(shell yq -r '.actionlint' < $(TOOLS_VERSIONS_FILE))
+ACTIONLINT = $(PROJECT_DIR)/bin/installs/actionlint/$(ACTIONLINT_VERSION)/bin/actionlint
+.PHONY: download.actionlint
+download.actionlint: mise ## Download actionlint locally if necessary.
+	@$(MISE) plugin install --yes -q actionlint
+	@$(MISE) install -q actionlint@$(ACTIONLINT_VERSION)
+
 .PHONY: tools
 tools: kube-linter chartsnap shellcheck
 
 .PHONY: lint
-lint: tools lint.charts lint.shellcheck
+lint: tools lint.charts lint.shellcheck lint.actions
 
 .PHONY: lint.charts
 lint.charts:
@@ -53,6 +60,12 @@ lint.shellcheck: shellcheck
 	$(SHELLCHECK) ./scripts/*
 	$(SHELLCHECK) ./charts/gateway-operator/scripts/*
 
+.PHONY: lint.actions
+lint.actions: download.actionlint shellcheck
+# TODO: add more files to be checked
+	$(ACTIONLINT) -shellcheck $(SHELLCHECK) \
+		./.github/workflows/*
+
 .PHONY: test.golden
 test.golden:
 	@ \